Azure Active Directory共享点&图形API [英] Azure Active directory Sharepoint & Graph API

问题描述

我有点困惑如何获取适用于共享站点和图形API的不记名令牌.

I am in a bit of confusion how to get a bearer token that will work for a sharepoint sites as well as the graph api.

我们正在使用MFA(多因素身份验证)，因此当用户尝试登录时会收到一条短信.所有这些都有效，我们得到了令牌，但是我指向的资源是 https://srmukdev.sharepoint.com/，我们如何使用此令牌访问 https://graph.microsoft.com/ API.

We are using MFA (Multi factor authentication) so we get a text message when the user tries to login. This all works and we get a token back but the resource I am pointing to is https://srmukdev.sharepoint.com/, how can we use this token to access the https://graph.microsoft.com/ api.

目前不起作用.我可以发出单独的登录请求，但是我们不想这样做，因为需要使用相同的令牌访问两个部分?有没有一种方法可以将一个令牌转换为另一个令牌?至少有效的东西?

At the moment it doesn't work. I can make separate login requests, but we dont want to do this as it's required to access both parts with the same token? is there a method that can translate one token to another? something that works at least?

您可以看到当前的区别是ResourceUrl

You can see the current difference is the ResourceUrl

我使用的sharepoint api详细信息

The sharepoint api details I use

<add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />
<add key="ida:Tenant" value="srmukdev.onmicrosoft.com" />
<add key="ida:ApplicationId" value="000000-0000-0000-0000-0000000" />
<add key="ida:RedirectUri" value="http://someuri/" />
<add key="ida.ResourceUrl" value="https://srmukdev.sharepoint.com/" />

我使用的图API详细信息

The graph api details I use

<add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />
<add key="ida:Tenant" value="srmukdev.onmicrosoft.com" />
<add key="ida:ApplicationId" value="000000-0000-0000-0000-0000000" />
<add key="ida:RedirectUri" value="http://someuri/" />
<add key="ida.ResourceUrl" value="https://graph.microsoft.com/" />

非常感谢

推荐答案

首先，我们说您无法获得同时适用于Microsoft Graph API和SharePoint API的令牌.令牌是针对特定的受众创建的，作为Web API进行令牌验证的一部分，令牌将检查令牌的受众是否与其唯一标识符匹配.

Let's start by saying that you cannot get a token which will work for both the Microsoft Graph API and the SharePoint API directly. Tokens are created with specific audiences, and as a part of token validation by the Web API, they will check that the audience of the token matches their unique identifier.

我认为这里的一种可能的解决方案是认识到Microsoft Graph令牌已经使您可以访问SharePoint API.请参阅此处的文档 .您应该能够仅获取Microsoft Graph的令牌，然后使用Microsoft Graph特定的终结点从SharePoint中获取数据.这是Microsoft Graph试图解决的问题之一.单个端点和令牌可访问您的所有Microsoft数据.

I think one possible solution here is to realize that the Microsoft Graph token already gives you access to the SharePoint API. See the documentation here. You should be able to get a token for just the Microsoft Graph, and then use the Microsoft Graph specific endpoints to get data from your SharePoint. This is one of the problems the Microsoft Graph is trying to solve. A single endpoint and token to access all of your Microsoft data.

另一种解决方案是使用收到的授权代码向两个不同的端点请求两个令牌.根据您正在使用的库以及遵循的特定流程，这可能比不完成更难，但是通常， Python之一中执行此操作的/烧瓶样品.

Another solution is to use the authorization code you receive to request two tokens to the two different endpoints. Depending on what libraries you are using, and the specific flow you are following, this may be harder than not to accomplish, but in general, the authorization code grant flow is used to sign in a user. After the user is redirected to the Microsoft Login Page, and then successfully signs in, your service receives an authorization code, which it then exchanges for an access token using the Token Endpoint. This authorization code can be used to get an access token for any resource the client has been configured to call, so you can call the token endpoint twice, with two different resource values, and get back two access tokens. I do this in one of my Python/Flask samples.

最后，假设您取回了访问令牌和特定资源的刷新令牌，则可以使用刷新令牌来获取应用程序已被授权使用的其他资源的令牌.

Finally, assuming you got back an access token and refresh token for a particular resource, you could then use the refresh token to get a token for a different resource the app has been authorized for.

Azure AD发出的刷新令牌可用于访问多个 资源.例如，如果您的客户端应用程序具有 允许调用两个Web API，刷新令牌可用于获取 另一个Web API的访问令牌.

The refresh token issued by Azure AD can be used to access multiple resources. For example, if you have a client application that has permission to call two web APIs, the refresh token can be used to get an access token to the other web API as well.

请参见

See here for a look at how to do this.

这篇关于Azure Active Directory共享点&图形API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！